When nobody understands the system, nobody can fix it

Modern systems are built on layers of abstraction.

Infrastructure as Code, managed services, reusable modules, and platform tooling allow us to move fast and build complex systems quickly. And most of the time, everything works.

Until something breaks.

At that point, a simple question becomes surprisingly difficult to answer:
How does this system actually work?

In many environments, no single person understands the full picture. Components are deployed from templates, connected through abstractions, and operated by different teams. When failures occur, troubleshooting becomes slow, uncertain, and sometimes guesswork.

In this lightning talk, I’ll explore what happens when systems become too abstract to understand, and why the real risk is not just insecure infrastructure, but systems that are so complex that troubleshooting requires expertise most teams don’t have.

Because when things fail, someone still needs to understand what was built.

Combining identity and network controls in Azure: building for visibility, traceability and security

Cloud security in Azure is often approached through either identity or network controls. In practice, both are implemented, but rarely designed together.

This leads to architectures where private endpoints, VNet integration, and managed identities are in place, yet visibility is limited, trust boundaries are unclear, and it becomes difficult to understand how systems actually communicate.

In this session, we will explore how identity and network controls interact in real Azure environments, and how to design architectures that combine both to improve security, visibility, and traceability.

Using concrete Azure scenarios and demos, we will examine how traffic flows through private endpoints and VNet-integrated services, how managed identities govern access, and how these layers can either reinforce or undermine each other depending on design.

We will also walk through common anti-patterns and show how to redesign them to reduce implicit trust and improve observability.

Participants will leave with practical techniques and design patterns for building Azure architectures where identity and network controls work together to create systems that are easier to understand, monitor, and secure.

Infrastructure as Code Is Still Infrastructure

Human error is not increasing because people are worse.
It is increasing because we deploy things we no longer understand.

The calendar reads 2026 and many organisations are cloud-first, with strict Infrastructure-as-Code policies and a “you build it, you run it” mindset. Standardised landing zones, reusable templates, and pre-built modules allow teams to move fast and scale consistently. Whether these templates come from internal teams, hyperscalers, the community, or major cloud enablers, this approach often works very well. In many cases, things run exactly as intended.

The challenge appears when layers of abstraction accumulate. As systems grow more complex, flawed designs and security-relevant assumptions become harder to spot and harder to reason about. Teams deploy Infrastructure-as-Code they do not fully understand. A configuration that appears safe in a test environment may become insecure once it is promoted to production and exposed to real traffic and real threat actors.

To reduce this risk, organisations introduce policies, guardrails, and verified modules. These controls are necessary, but they have limits. When complex distributed systems are assembled from many interacting modules across cloud services, platforms, and runtimes, guardrails alone are not enough. If we do not understand the resulting infrastructure we are deploying, securing it becomes largely guesswork.

Infrastructure as Code is a powerful abstraction, but it does not remove responsibility. The architecture and the infrastructure are still real, even when hidden behind templates, Kubernetes, containers, or managed services. Working code is not the same as safe infrastructure.

This talk argues that templates and IaC are not a replacement for understanding and skilling. Just because a module works, or can be made to work, does not mean it should be deployed. In an environment where speed is rewarded and abstraction is the norm, rebuilding technical understanding must be treated as a core security control, not an optional nice-to-have.

Web-Application and API Protection: Do We Still Need It?

With modern security measures such as code scanning, library scanning, and image scanning, is there still a need for a full reverse proxy? Why should organisations continue to invest in Web-Application and API Protection (WAAP) even in IAM-based applications? This session will explore the evolving threat landscape in web security, including XSS, CSRF, API abuse, and automated attacks. We will discuss why traditional protections are still relevant, how WAAP provides critical security layers, and how it mitigates emerging threats such as API scraping, business logic exploitation, and AI-driven attacks.

CloudNetDraw - Automated Azure Network Diagrams

I made a tool which queries an Azure tenant and then generate a network diagram based on the output. The diagram is generated using draw.io and is fully flexible and editable. The solution is fully open-source and currently offered through a SaaS platform: https://www.cloudnetdraw.com/ or as a self-host option on the same page or in the GitHub repo https://github.com/krhatland/cloudnet-draw.

Built on python and structured JSON.
Generates both a High-level diagram showing each vNet in regards to the respective hub, and a Mid-Level diagram illustrating each subnet in each vNet and if there are NSGs or UDRs attached

Can be shown as a quick 10-15min demo, or a deep dive in the tech-stack on 45-60mins depending on audience.

Cloud Firewalls Are Failing

Cloud teams move fast! Firewall policy does not.
Most organizations still rely on static IP-based rules, leading to massive backlogs, brittle exceptions, and endless tickets like “Please open X.X.X.X to X.X.X.X:443”.

Why does this happen?

Because when we lift on-premise firewall thinking into the cloud, the model breaks. Even the best Next-Gen Firewalls fail when they are fed static objects instead of dynamic, metadata-driven policy.

In this session, we explore a modern approach to cloud firewalling:
using resource tags and cloud metadata to drive low-risk policy automatically, reducing rule sprawl and freeing firewall teams to focus on what actually matters — protecting critical assets instead of chasing ephemeral workloads.

You’ll learn why traditional rulebases collapse at cloud scale, how metadata can replace thousands of manual rules, and how to build a scalable, vendor-neutral architecture that aligns with Landing Zones and Zero Trust principles.

This talk is practical, opinionated, and entirely vendor-agnostic.
The technology exists in every major NGFW — the difference is how you architect and use it.

This session does not promote any firewall vendor.
All examples are vendor-neutral, focusing on architecture, metadata, and governance rather than product features. The principles apply equally across Azure Firewall, Palo Alto, Fortinet, Check Point, and other NGFW platforms.